Let me add a few things to what was already mentioned by Gari Singh in his answer. Keep in mind that Autopilot cluster due to its fully managed nature in comparison with standard GKE cluster has quite wide range of workload limitations and restrictions.
Although it is not mentioned explicitly in the docs that running IP masquerade agent on this type of cluster is not supported, it can be deduced from this fragment where you can read:
The kube-system namespace is managed, meaning that all resources in
this namespace cannot be altered and new resources cannot be created.
And this is basically what your IP masquerade agent is trying to do. The error message you get explains in fact the exact reason why it cannot be done:
...cannot create resource "configmaps" in API group "" in the namespace "kube-system"...
...the namespace "kube-system" is managed and the request's verb "create" is denied...
However I fully agree that documentation probably needs some improvement as the following fragment in the article you linked:
- Choose a default Compute Engine zone for zonal clusters or a region for regional or Autopilot clusters.
may suggest that it should also work on Autopilot cluster.
What I would suggest in such case is to create a new issue on Google's public issue tracker (search for Kubernetes Engine on the list), and request to remove the above fragment about Autopilot or even add an explicit information that IP masquerade agent is not supported on this type of cluster.
